SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket ================================================================== BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 Read of size 8 at addr ffff8800b7d64ff8 by task syz-executor2/1081 CPU: 0 PID: 1081 Comm: syz-executor2 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 5bcd6520d1ed8985 ffff8801d2337880 ffffffff81cc90ef ffffea0002df5900 ffff8800b7d64ff8 ffff8801d23378b8 ffffffff814d9e03 ffff8800b7d64ff8 0000000000000008 0000000000000000 ffff8800b7d64ff8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:186 [inline] [] _raw_write_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:303 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 [] vfs_read+0xe1/0x340 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x16/0x76 Allocated by task 1081: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xba/0x290 mm/slub.c:2628 [] fasync_alloc fs/fcntl.c:603 [inline] [] fasync_add_entry fs/fcntl.c:661 [inline] [] fasync_helper+0x29/0x90 fs/fcntl.c:690 [] sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 [] setfl fs/fcntl.c:69 [inline] [] do_fcntl fs/fcntl.c:266 [inline] [] SYSC_fcntl fs/fcntl.c:371 [inline] [] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 [] entry_SYSCALL_64_fastpath+0x16/0x76 Freed by task 14: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xb2/0x310 mm/slub.c:2881 [] fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2705 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] [] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] __do_softirq+0x24d/0xa59 kernel/softirq.c:273 The buggy address belongs to the object at ffff8800b7d64f80 which belongs to the cache fasync_cache of size 96 The buggy address is located 24 bytes to the right of 96-byte region [ffff8800b7d64f80, ffff8800b7d64fe0) The buggy address belongs to the page: ================================= [ INFO: inconsistent lock state ] 4.4.105-gdcfa5fe #7 Not tainted --------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. swapper/1/0 [HC0[0]:SC1[1]:HE0:SE0] takes: (&mapping->i_mmap_rwsem){++?+..}, at: [] try_to_wake_up+0x2c/0xf60 kernel/sched/core.c:1972 {SOFTIRQ-ON-W} state was registered at: [] mark_irqflags kernel/locking/lockdep.c:2817 [inline] [] __lock_acquire+0xabd/0x4b50 kernel/locking/lockdep.c:3169 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] down_write+0x41/0xa0 kernel/locking/rwsem.c:49 [] i_mmap_lock_write include/linux/fs.h:502 [inline] [] vma_link+0x8d/0x160 mm/mmap.c:702 [] mmap_region+0x8e3/0x1200 mm/mmap.c:1685 [] do_mmap+0x47d/0xab0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x14a/0x1b0 mm/util.c:272 [] vm_mmap+0x30/0x40 mm/util.c:290 [] elf_map+0x187/0x250 fs/binfmt_elf.c:366 [] load_elf_binary+0xbbe/0x4b70 fs/binfmt_elf.c:970 [] search_binary_handler+0x124/0x610 fs/exec.c:1471 [] exec_binprm fs/exec.c:1513 [inline] [] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] do_execve+0x27/0x30 fs/exec.c:1679 [] run_init_process+0x26/0x30 init/main.c:908 [] try_to_run_init_process+0xf/0x40 init/main.c:917 [] kernel_init+0xb0/0x110 init/main.c:986 [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 irq event stamp: 1108653 hardirqs last enabled at (1108652): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:170 [inline] hardirqs last enabled at (1108652): [] _raw_spin_unlock_irq+0x27/0x50 kernel/locking/spinlock.c:199 hardirqs last disabled at (1108653): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] hardirqs last disabled at (1108653): [] _raw_spin_lock_irqsave+0x24/0x70 kernel/locking/spinlock.c:159 softirqs last enabled at (1108640): [] _local_bh_enable+0x1c/0x50 kernel/softirq.c:144 softirqs last disabled at (1108641): [] invoke_softirq kernel/softirq.c:350 [inline] softirqs last disabled at (1108641): [] irq_exit+0x119/0x140 kernel/softirq.c:391 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&mapping->i_mmap_rwsem); lock(&mapping->i_mmap_rwsem); *** DEADLOCK *** 1 lock held by swapper/1/0: #0: (((&timer))){+.-.-.}, at: [] lockdep_copy_map include/linux/lockdep.h:165 [inline] #0: (((&timer))){+.-.-.}, at: [] call_timer_fn+0xd5/0x7a0 kernel/time/timer.c:1168 stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2b2e23391b7d0d19 ffff8801db507920 ffffffff81cc90ef ffff8801da691780 ffffffff85175900 ffff8801db507990 ffffffff81227426 0000000000000001 ffff880100000000 ffffffff00000000 ffffffff85175998 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_usage_bug+0x356/0x3b0 kernel/locking/lockdep.c:2267 [] valid_state kernel/locking/lockdep.c:2280 [inline] [] mark_lock_irq kernel/locking/lockdep.c:2478 [inline] [] mark_lock+0xca2/0xfd0 kernel/locking/lockdep.c:2933 [] mark_irqflags kernel/locking/lockdep.c:2799 [inline] [] __lock_acquire+0x9b3/0x4b50 kernel/locking/lockdep.c:3169 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [] _raw_spin_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:159 [] try_to_wake_up+0x2c/0xf60 kernel/sched/core.c:1972 [] wake_up_process+0x15/0x20 kernel/sched/core.c:2140 [] process_timeout+0x9/0x10 kernel/time/timer.c:1464 [] call_timer_fn+0x175/0x7a0 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x544/0xcc0 kernel/time/timer.c:1437 [] __do_softirq+0x24d/0xa59 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x119/0x140 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:653 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:695 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline] [] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:291 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:282 [] default_idle_call+0x48/0x70 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [] cpu_idle_loop kernel/sched/idle.c:253 [inline] [] cpu_startup_entry+0x605/0x820 kernel/sched/idle.c:301 [] start_secondary+0x304/0x3e0 arch/x86/kernel/smpboot.c:251 PANIC: double fault, error_code: 0x0 CPU: 0 PID: 0 Comm: syz-executor2 Not tainted 4.4.105-gdcfa5fe #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d1629780 task.stack: ffff8801d2330000 RIP: 0010:[] [] dump_page mm/debug.c:105 [inline] RIP: 0010:[] [] page_mapcount include/linux/mm.h:460 [inline] RIP: 0010:[] [] dump_page_badflags+0x165/0x260 mm/debug.c:85 RSP: 0018:ffff880100000000 EFLAGS: 00010046 RAX: 4000000000000080 RBX: ffffea0002df5900 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff838a7da0 RDI: ffffea0002df5900 RBP: ffff880100000030 R08: 0000000000000000 R09: ffff8800b7d64300 R10: 0000000000000002 R11: fffffbfff0ad282e R12: 0000000000000000 R13: ffffffff838a7da0 R14: ffff8800b7d64f80 R15: ffff8800b7d64fe0 FS: 00007f6e4bf22700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8800fffffff8 CR3: 00000001d30a7000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: Call Trace: Code: [ 345.014025] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at include/linux/uaccess.h:15 pagefault_disabled_dec include/linux/uaccess.h:15 [inline]() WARNING: CPU: 0 PID: 0 at include/linux/uaccess.h:15 pagefault_enable include/linux/uaccess.h:42 [inline]() WARNING: CPU: 0 PID: 0 at include/linux/uaccess.h:15 __probe_kernel_read+0x1a5/0x200 mm/maccess.c:35()